Internal Path Disclosure
Mobile applications and their servers exchange messages with each other. These messages have a defined format. Servers and apps request information to each other, and the other party provides it. Servers have a folder structure wherein applications’ backend functionality, and data are stored. A response from the server may disclose the internal server structure in response. In case the communication is intercepted by an intruder, this information can be used for inflicting damage. One example of such a scenario is illustrated below.
A mobile application requests a file from its server. The server looks into the destination folder where the file is supposed to be. However, the file is not present. The server sends an error message to the client that the resource is missing. The message is structured in such a way that complete path till the destination folder is included along with a mention that the file is not found. An attacker manages to intercept and decode the server response. He writes a code that targets the mentioned file location and deletes critical data present over there. Subsequently, he gains access to the server and injects the code. As a result, critical data is deleted from the server.
The solution is to remove the parameters from the request that get the server to disclose sensitive information. Formats of server replies should be curated to ensure they do not reveal confidential stuff.